UK Banking - Points of View Series

Time for Bold MovesManaging Operational Risk in PaymentsControlling and mitigating operational risk throughout the payments value chain

2

Time for Bold MovesThe path to sustainable profit: Achieving 15% ROE by 2012

This industry perspective focuses on helping banks manage operational risk in payments as a component of our Effective Risk Management imperative. This report provides a framework for controlling and mitigating operational risk throughout the payments value chain in today's complex post-crisis environment.

Higher Capital Ratio 5%

De-leveraging 6%

Higher Cost of Funding 6%

Reduced Fee Income 2%

NPL Provison Increase 3%

Headwinds

Inorganic Growth/Divestures 1-5%

Effective Risk Mgmt 1%

Pricing Optimisation 1%

Robust Customer Mgmt 3%

Strategic Cost Reduction 5%

Imperatives for Growth

Operational Control

Return on equity

Increased Regulation Cost

The path back to profitability for the banking sector is essential, but not assured. Banks must plot a route to a ROE of approximately 15% in order to attract capital and remain viable as commercial enterprises, and they must do this with in a regulatory and market structure that will be constantly changing over the next 3-5 years. This uncertainty provides no excuse for underperformance. Strategies must be focused on hitting required balance sheet and profit parameters but also be able to adapt to major changes during execution. This creates a strategic agenda comprising headwinds that must be navigated in order to earn the right to attempt new growth strategies.

How do banks navigate the headwinds and control the profit levers to return to a level of sustainable profit that makes them attractive to investors?

Headwinds

Banks need to deal with the fallout from a wide-scale loss of trust. The tension between a political and economic view of the future of banking will result in conflicting instructions from stakeholders – deleverage but lend more; be narrow but socially useful; be innovative but keep it simple. This ‘wind over tide’ effect means navigating the headwinds will require more than just plotting a course and sticking to it.

Profit Levers Underpinning Growth Strategies

Growth is essential for sustainable profit. There is no course back to profit via cost cutting alone, but economies of scale must be found. Strategies for growth will differ depending on the starting point, but all must include exploiting the infrastructure of

banking and aligning pricing with the costs of running this infrastructure, and tailoring product features and pricing more closely to risk and customer needs.

3

However, while managing operational risk in payments is critical, it is also very difficult, for a number of reasons. These arise primarily from the fact that most banks’ payments processes now are characterized by high complexity and a wide array of “moving parts”, reflecting the range and diversity of the components involved.

Firstly, there are all the different payment types to be handled—Bacs, CHAPS, international transfers, debit card, Faster Payments and cash. Each with its own ID infrastructure, operational characteristics, scheme rules and formatting. Transaction volumes and settlement processes also vary between different payment types and channels. Then there is the paper trail of manual processes still prevalent in areas such as clearing. Add multiple payments channels, together with the need to handle customer liquidity on the one side and in-house treasury on the other, and the full complexity and multiplicity of the payments value chain become clear.

Operational risk in payments: a risk whose time has come

Against this background, many banks are processing tens or hundreds of billions of sterling, euro or dollar of payments via SWIFT every day with accompanying operating risk running at an unacceptably high level. At the same time, requirements such as SEPA, changes to SWIFT messaging standards, and new AML and anti-terrorist processes are intensifying the cost and complexity still further, even before operational improvement programmes are taken into account. And tightening regulatory regimes are progressively increasing the price of operational risk failures throughout the payments process.

A tough challenge

In the wake of the global financial crisis, banks’ risk landscape has changed dramatically. Previously, the focus was largely on market and credit risk. Today, events such as the collapse of Lehman Brothers have extended the focus to counterparty risk—reflecting the possibility that another institution may be having difficulties with its cash or liquidity position, or that the payments systems involved in the transaction may fail.

While a payments failure would initially be unrelated to credit or liquidity risks, its knock-on effects could extend into these business-critical areas. In a discussion paper produced by the Bank of England as follow-up to the 2008 Resilience Benchmarking project, the Bank noted that while resilience to major operational disruptions had improved

in the UK financial sector participants and payment and settlement systems infrastructure had performed strongly against industry benchmarks, it was important for firms to recognise other significant threats to operational disruptions, such as terrorism and pandemic, and to continue to promote a corporate culture and policies that adequately support business continuity and crisis management objectives in the long-term, including participation in rigorous infrastructure business continuity testing.

For this reason, it is more vital than ever to tackle and prevent operational risk in the payments arena before it arises. This need was underlined still further in January 2011 by Sir John Vickers, chairman of the UK government-sponsored Independent Commission on Banking, who insisted

that unsuccessful banks should be allowed to "fail safely" without being able to rely on a “generous safety net" from the taxpayer.

4

It is especially dangerous in this case since payments represent nothing less than the backbone of a retail or commercial bank: it is intrinsic to virtually everything it does, and is distributed in a broad and pervasive way across the operations. What is more, the systems underpinning payments processes are often ageing and even archaic, burdened with a complex web of bolt-ons and patches built up over many years. Even where banks have merged, legacy payments systems are often still running in parallel many years after the integration has been “completed”.

The resulting patchwork of diverse, ageing systems and automated and manual processes is a recipe for high operational risks. Yet the operational risks in this increasingly complex area have traditionally been regarded largely as a compliance issue, covered off by the allocation of an appropriate amount of capital under Basel II. Such an approach runs the risk of missing the point that it is far more important to control, measure and manage

operational risks in payments than to simply account for them in capital terms.

The need for an end-to-end viewTo truly seize control of these risks, a bank must first gain a clear end-to-end view of how payments transactions flow through the organisation, highlighting the potential “pinch-points” where specific risks arise along that journey. Figure 1 illustrates the typical risk “hotspots” that may be revealed by an in-depth assessment of a bank’s end-to-end payments value chain, conducted in parallel with related technology and process reviews.

As Figure 1 shows, risks can originate at many points in the value chain, ranging from front-office data acquisition, via middle-office processes, all the way to back office settlement, transmission and reporting. In general, operational risk at each of these different points will be the responsibility of a different individual or team.

This means it is important not just to understand what the risks are and where they arise, but also to gain visibility around how they link and interrelate along the chain. A silo-ed approach to operational risk may result in the same underlying problem being addressed through point solutions at multiple places. A single—and possibly relatively simple—end-to-end change may be a far more effective and efficient way to solve the issue. But this solution may not be visible to those responsible for correcting the effects of the glitch at each specific point.

A “hidden” issueAlongside these challenges, a further significant hurdle in tackling operational risk in payments is the degree to which payments is embedded and almost “hidden” within other banking processes. As a result, it is largely taken for granted by most of the organisation—always a dangerous state of affairs with any vital process.

4

5

Figure 1: Typical risk “hotspots” in a bank’s payments value chain

Front Office, Middle Office and Back Office touchpoints

Potential for data loss due to mishandling (e.g. Faxed instructions)

Manual sorting errors (of inbound documents)

Manual data entry errors (payment processing)

Incorrect approval of overdrawn payments

Amends and cancellations not captured correctly and on time

Slow manual process resulting in cut-off times being missed

Processing delays due to late amends and cancels

Automated system failures or processing errors

Manual calculation and conversion errors

Manual review required for payments that do not auto-match

Incorrect data from payment originator

Duplicate entries not detected

Manual data entry errors (payments settlements)

Errors arising fromin efficient transaction settlement processes

Overnight batch processing errors

Low visibility and traceability of changes performed across multiple systems

Manual check and reconciliation errors

Inability to determine banks total exposure due to multiple systems existing in the organisation

PaymentAcquisition

Business continuity procedures in place but rarely tested and poorly communicated to staff

Processing is decentralised hence top-level controls not fully enforceable

Technology infrastructure is out-dated or support is not adequate

PaymentValidation

PaymentVerification

Payment Amend / Cancel

PaymentProcessing

Settle and Transmit

Reporting /Administration

5

6

A framework for mapping operational risk in paymentsAccenture’s work with many leading banks in reviewing and improving their control and management of operational risks in payments has enabled us to build a proven and workable framework for mapping and addressing these risks. This framework essentially takes a situation where ownership of end-to-end payments processes, risks and governance are scattered across the bank, and creates of an end-to-end view of all these elements, thereby enabling operational risks to controlled and managed at the optimal points throughout.

The framework begins by ensuring that the basic data is in place to support the initial assessment. It does this by benchmarking the current payments systems, processes and data against four criteria:

CapacityCapacity of systems — is the infrastructure sufficient for the current and potential volumes of payments passing through it, today and in the future?

QualityQuality of data — has the data been sufficiently cleansed and verified at the point of entry so the middle and back office can rely on it?

UsageUsage of information — given the capabilities of the systems, is data being used in the optimal available way to support processes such as risk assessment, risk reporting and provision of risk management dashboards?

TransparencyTransparency around process compliance — does the management information generated from the process reveal key risk management intelligence, such as past and current exposure to losses and loss event history, thereby providing pointers to risk hotspots?

Having ensured that the underlying data and infrastructure measure up against these four requirements, the framework then drills down to pinpoint causes of operational risks along the entire payments value chain, enabling actions to be taken to manage them more effectively. Again, the framework does this by focusing on four areas:

1. External events These causes range from natural disasters, via hacking, fraud and information theft, to terrorist attacks and vandalism. There is no way of managing the risk of an earthquake in a particular location, so its effects must be minimised, perhaps through multi-center parallel processing in different locations. Exposures to hacking or theft can be identified and mitigated through more effective controls and security, as can the threats of terrorism and vandalism.

2. SystemsCauses in this category include hardware, software and communications outages or disruptions, and loss of access to critical market data from key suppliers. The weakest links or “pinch-points” in the systems infrastructure need to be identified from an end-to-end volume and data-flow perspective. This requires looking across operational units, while taking into account ongoing changes such as fluctuating volumes and systems upgrades.

3. ProcessesCauses of risks in this category may include miscommunication along the payments value chain, missed deadlines or delivery failures, accounting errors, collateral management failures and inaccurate reporting. The assessment includes a gap analysis of the historical failure rate of process components against their likely future failure rate, and of their actual performance and efficiency against the targeted levels. For example, we worked with one bank where it was taking 30 days to deliver vital payments information to the regulator, and an end-to-end review of the process enabled us to automate some key steps and cut

this immediately to 15 days. In other cases, changes may be needed around authorisation processes, including altering the number of “pair of eyes” involved in the peer review. With every change, an end-to-end process view is vital for ensuring there are no unforeseen and unwanted impacts at other points in the payments value chain.

4. PeopleThe people-related operational risks in payments come down to whether a risk-aware culture and behaviours are embedded in the workforce. Clearly, active wrongdoing such as fraud, theft and insider trading are at one extreme of the behavioural continuum. But there are also risks around more passive behavioural failings, such as authorisation processes not being followed properly or a failure to report transactions accurately. It is also vital to employ and develop the right skills.

The assessment must examine factors such as the clarity of the job descriptions and objectives, the degree to which people are fulfilling those functions effectively on a daily basis, and the percentage of non-compliance across the group. Have there been instances of internal fraud, and if so, where? Do the levels of authorisation required for different sizes of payment strike the right balance between control and practicality? Is there sufficient orientation and training in the mandated processes? Are the right skillsets being acquired and developed, and the right behaviours incentivised by the reward programmes?

6

77

8

Figure 3: Six stages in the implementation of the Operational Risk Framework

1. Payment Acquisition

2. Review Current Enviroment

3. Review Current Processes

5. Risk Scoring

4. Document Risk Profiles and Controls

6. Approval of Risk Assessment/ Syndication

Review current risk •assessment proceduresAgree definition of •"Operational Risk"Agree in scope areas, eg:•SWIFT•Domestic RTGS•CLS•Wholesale Payments•Securities settlement•Cross Border•Review relevant reports•Prepare checklists•Identify key contacts•Agree basis of joint •workingCommunicate approach•

Network•Data•Applications•Technical platforms•Facilities•Personnel•Operations•Data quality/integrity•Availability•Users•Security level•Security mgmt•Resilience•Current projects•Legal framework•Volume/value•Confidentiality•Security documentation•Application maintenance•Q/A procedures•

Business activities•Processes•Management•System development•Operations (Back-office)•IT-operations•Information security•Payment systems•Outsourcing procedures •(if relevant)Business continuity•

Document and collate •risk profiles and controls by:

Business unit -Department -Product -Channel -System -

Agree weighting of •appropriate risk scoring criteriaAgree risk score of •different risks identifiedAggregate/consolidate •risk position by:

Business unit -Department -Product -Channel -System -

Syndicater findings with •relevant stakeholdersThis leads into longer term •discussions on:Risk mitigation•Risk management•Risk mitigation plan•Audit plan•Audit schedules•

Implementation process and benefits

spectrum of possible approaches ranges from doing nothing to replatforming the entire value chain. Throughout the spectrum, there is a trade-off between the cost of the required change programme and acceptable levels of retained risk.

Rather than assuming the existing payments value chain is broken and throwing money at a major IT investment in a new platform, the

The programme to implement the Accenture Operational Risk Framework in the payments supply chain can be divided into six stages, as shown in Figure 3. Each stage contains a distinct set of tasks, producing outputs and insights that feed into and support the subsequent stages. By phase 6, ‘Approval of Risk Assessment/Syndication’, the bank executives and Accenture team have all the information and benchmark data needed to agree the optimal actions and changes to the bank’s operational risk management approach.

One of the key benefits of the framework—especially in the current cost-constrained environment—is that it enables the bank to pinpoint the most appropriate and cost-effective positioning for its actions on the continuum of options open to it (see Figure 2). To address management of operational risk in payments, the

framework enables the programme to work from bottom up — examining the current status of operational risk management end-to-end, and only fixing things if they are broken. This accurate targeting of investment makes the framework a highly cost-effective approach with a quick and demonstrable payback. This in turn means the programme is likely to succeed in hitting the business case for funding by the bank.

Figure 2: The continuum of options for operational risk management

Take no action

Targeted actions to control and manage specific operational risks

Replatform the payments engine/create centralised utility

9

Leveraging specialist knowledge •available across the organisation to determine and influence key investment areas for the long term.

The case study below shows how we helped a leading commercial and consumer card issuer take targeted actions to control and manage business operational risks, via development of a strategic business operational risk dashboard and ongoing attestation by business owners to periodically assess and improve management of key business risks.

In our experience working with leading payment services providers, we have noted that organisations that take a long-term view of operational risk that evolves in line with new regulations, innovation and technological advances and industry best practices will help sustain competitive advantage. Given there are no quick-win solutions to becoming an operational risk leader in payments, we recommend that a pragmatic approach takes into account the following:

Periodic review and due diligence of •existing risk management processes that takes into account people, process and technology aspects,

Robust trend analysis and deep dive •into recurring problem areas

Development of dashboards, •reporting tools and risk attestation processes to allow business unit heads and business application owners to communicate both a big-picture view and detailed view of key risks to senior management (e.g. COO, CRO and CEO) and

9

Case studyThis client was facing multi-million pound losses resulting from risk events and incidents in various business units. The client conducted a high-level root cause analysis of incidents to determine the source and extent of losses resulting from changes to business and operational processes and policies that did not have corresponding changes to impacted business applications and systems implemented, and those where the original operational specifications were incorrect which led to unexpected results. A position paper was presented to Executive Committee, which recommended a targeted review across various strategic business units to identify critical business processes that had a potential for financial loss, level of risk associated with the global portfolio of products and to identify areas of concerns and development of recommendations and actions to address those concerns.

Accenture performed a current state assessment using a structured review

process across various businesses and operational departments (i.e. Operational Risk, Business Incident Management teams, IT, Control Management, Internal Audit and SOX). Assessment objectives were defined and agreed with key stakeholders across these departments. Capability Assessment Reviews were completed via interviews with key staff – this included review of existing control processes, risk events and operational integrity issues. Key findings, recommendations and near-term and long-term action plans for each business area were presented to the Executive Committee. Accenture recommended, designed and implemented a common, Strategic Operational Risk Assessment Safety Dashboard for the periodic identification, reporting and attestation of key business risks to senior management. This included aggregation of risks reported in other channels and validation with Internal Audit, Operational Risk and Business Continuity teams prior to submission to Senior Management. This enabled a robust mechanism to help business

owners report on key risks in Executive Committee Meetings and to develop and communicate action plans in a transparent manner.

10

While operational risk is not a primary driver of investment in payments infrastructures, it is clearly an important consideration — especially in today’s post-crisis environment. In our view, it is vital to ensure that the bank has a firm grasp of these risks, and to approach them from an end-to-end-control standpoint

Figure 4 illustrates a basis for decision-making on the required response. At one extreme, a bank with relatively low risk and low payments volumes may be able to gain sufficient assurance through ongoing monitoring. At the other, a bank with high risk and a large and complex payments operation may need to consider replatforming. Our experience shows that most banks are between these two extremes, making them ideally suited to using our Operational Risk Framework to identify and tackle risk ‘hot-spots’ along the value chain, in addition to maintaining a sustained

Figure 4: mapping risk profile against complexity and scale

approach for strategic operational risk improvements, in line with regulatory, technology and industry developments.

At root, the framework is about enabling the bank to stay in control of its changing risk universe—and thereby enabling it to stay in business. The benefits include helping to prevent a crisis of trust that could trigger a potentially disastrous run on the bank’s funds. Whatever the bank’s growth strategy for the future, its ability to maintain confidence and trust is a critical success factor. Effective management and control of operational risks in payments will remain a critical element in achieving this.

Conclusion: time to seize control

Current Op Risk based on Basel Capital Adequacy ratio

Complexity and scale of payments operation

Sustained operational risk improvements

Consider replatforming

Monitor and manage

Implement targeted operational risk improvements

11

To find out how Accenture can help your bank manage operational risks in payments more effectively, please contact:Jonathan MaskerySenior ExecutiveFinancial Services, Payments

+44 20-7844-7914jonathan.maskery@accenture.com

Sulabh AgarwalSenior ManagerFinancial Services, Payments

+44 20-7844-0341sulabh.agarwal@accenture.com

Sridhar KrishnamoorthyManagerFinancial Services, Risk Management

+44 20-7844-5503 sridhar.krishnamoort@accenture.com

11

What’s next in the Time for Bold Moves publication seriesOver the course of the year, we will be issuing points of view addressing different aspects of each of the Time for Bold Moves ‘Imperatives for Growth’ (see front inner cover). Below are the upcoming and recently released publications in the series.

Whats next:•MakingMobileBankingpartof

‘Mobile Life’

•InsightAdvantage–OurVisionofAnalytics in Financial Services

•HowUKBankscanRespondtotheVoice of the Customer

•CostStructurefortheNew Banking Model

•UKMortgageMarketReview

Recently published:•HelpingBanksManageChange

and Complexity

•SeizingtheCashManagementOpportunity

Contact usTo know more about the 'UK Banking Time for Bold Moves' Model, Research, Upcoming Events or Future Publications please contact:

Alastair Blair Head of Banking UKI +353 1 646 2120 alastair.blair@accenture.com

David Parker Financial Services, Banking +44 20 7844 3216 +44 77 9965 8716 david.m.parker@accenture.com

Geetika Rai Financial Services, Marketing +44 20 7844 5982 geetika.rai@accenture.com

Copyright © 2011 Accenture All rights reserved.

Accenture, its logo, and High Performance Delivered are trademarks of Accenture.

About Accenture Accenture is a global management consulting, technology services and outsourcing company, with approximately 211,000 people serving clients in more than 120 countries. Combining unparalleled experience, comprehensive capabilities across all industries and business functions, and extensive research on the world’s most successful companies, Accenture collaborates with clients to help them become high-performance businesses and governments. The company generated net revenues of US$21.6 billion for the fiscal year ended Aug. 31, 2010. Its home page is www.accenture.com.